Vulnerabilities

# Arbitrary Command Execution: [Requires Authorized Session]

The function "show_daemon_xml_configs(self, daemon, REQUEST=None)" at line 540
of "/opt/zenoss/Products/ZenModel/ZenossInfo.py" passes a user supplied value
in the "daemon" parameter to a "Popen()" call on lines 591 and 592:

This allows a malicious user with legitimate credentials (for an account with any
level of Zenoss privilages) to execute arbitrary commands as the "zenoss" user.

# Arbitrary Command Execution: [Requires Authorized Session]

The Event Commands functionality allows a malicious user with legitimate
credentials and "ZenManager" or "Manager" roles to execute arbitrary commands
by creating an Event Command then creating an Event.